The more convenient our payments, the more security conscious we need to be.
I had the privilege recently of attending Mastercard’s annual Connecting Tomorrow conference where future payment technologies are showcased to the financial industry. I witnessed some of the cutting-edge payment technologies which are aimed at removing ‘friction’ points when it comes to making payments.
Technologies include wearables such as a watch or even a ring used for contactless payments, and turning your car into a payment channel for fuel purchases, so you don’t need to pull out your card to pay for fuel.
Technology also enables informal traders to buy goods through a smartphone from a large wholesaler or to link small farmers to large buyers of agricultural goods through a seamless payment system.
One of the concepts demonstrated that really appeals to me, is the Travelpass. When ready, this platform will allow you to book and pay for your entire trip on one app ‒ from airline tickets and taxis to hotels and even restaurants ‒ by integrating with third parties. You could even use your phone to check in to a hotel, bypassing reception by just tapping the hotel room’s contactless key with the payment deducted from your linked card.
While the technology is impressive, what level of security are we giving up for convenience?
According to a recent survey in South Africa conducted by Mastercard, about 87 percent of people now accept that data breaches and hacks are the new normal and will likely happen to everyone.
According to Simon Hunt, head of cyber security innovation at Mastercard, any new technology is about balancing risk and reward. “The question the consumer needs to ask is, ‘Is the experience worth the risk?’ There is always some risk when it comes to making payment easier. The key is to limit the risk.”
Compare this to our decision to climb into a car every day. Based on South African statistics, 45 people a day die in car accidents and 410 are injured. Yet the convenience of road transport outweighs the risks we take. “Our job at Mastercard is to develop experiences so compelling and to reduce risk sufficiently to make them worth it,” says Hunt.
But do we know how much risk we are taking with digital payments? A lot comes down to our own behaviour and our lack of understanding about how to improve our security.
The South African Mastercard survey found that 70 percent of people believe there is not much they can do to protect their personal and financial information from being stolen, but that is not true. It’s about knowing how to reduce your risk.
A banking app is safer than online banking
For example, did you know that using your banking app is much safer than using online banking through your laptop or PC? Hunt explains that using your phone’s biometric security, ie, using your fingerprint to log in, is the most secure way to access your bank account – especially on newer-model smartphones. Laptops and PCs are far easier to hack than your phone, and cybercriminals can capture things like keystrokes when you type in passwords on your laptop. If you are using your phone’s biometric security, there is no way to capture that fingerprint. This explains why there are fewer security steps when making payments from your banking app than online banking which usually requires one-time passwords.
How safe is it to store your credit card details on a browser?
Whenever my Chrome browser asks me if I want to store my credit card details, I always refuse, as that feels like I am compromising my data. Yet Hunt says it is a lot safer than giving someone your credit card details over the phone or in an email. The browser will only store your credit card number, not your secure CVC number (on the back of your card) or your card’s expiry date. This is about balancing convenience and security. People find it hard to remember their full credit card number but can remember a short CVC code and expiry date. The convenience is not having to remember the long number but limiting risk is having to input the main security features.
How safe is online shopping?
An online shopping site should require two-factor authentifiaction such as issuing a one-time PIN, yet the main risk is when the site’s own security is compromised. No matter what security banks have in place, if the website owners are not updating their own systems, they will make consumer data vulnerable. During the Mastercard conference Andrew Henwood of Forenics, took us through a real live hack of a retailer website which had not updated to a newer version of their merchant payment program. While he had created the retailer website for the demonstration, there are many actual retailer sites using the same compromised software.
It took him about three seconds to hack the website and place a code which collected information when the online buyer enters card details. He exploited a weakness which had already been identified three years earlier and corrected in updates of the program. However, the retailer had not run the updates, leaving the site vulnerable. It was a good lesson in the importance of always running updates on your computer and smartphone, but it also made me more inclined to stick to larger retailers who have proper security protocols in place.
You are the biggest risk to your security
Of the $1.5 trillion lost to cybercrime, most of it is due to phishing where a cybercriminal obtains the data directly from a consumer, usually via scam emails where consumers are tricked into providing their security information. Not updating your software on your devices also makes you vulnerable to data hacking.
According to Mark Elliott, division president of Mastercard, Southern Africa, their survey found that for many South Africans, taking the time to secure their information online is seen as an inconvenience. In fact, of South Africans who find it inconvenient, many say it is a bigger hassle than sitting in traffic (42 percent), dieting (34 percent), performing household chores (33 percent) or doing taxes (31 percent).
To overcome human vulnerability, technology is constantly being developed to detect unusual behaviour. Apart from teams of people analyzing data and tracking information on the dark web, innovation in technology is constantly evolving beyond just using fingerprints to identify us. New technologies can use our physical behaviour, like the speed we type or the angle we usually hold our phone, to verify our identity.
And, according to Elliott, if our information is hacked, cardholders have zero liability protection so they won’t be held responsible for unauthorized transactions.
Steps you can take to protect your data
The South African Mastercard survey asked what people were willing to give up in order to ensure their data security. Here are some of the findings:
|What consumers are willing to give up:||What consumers can do:|
|49 percent would give up social media.||It isn’t necessary to quit social media, but reducing the amount of personal information shared online makes it harder for criminals to hack accounts.|
|56 percent would give up 15 minutes of their day.||Strong passwords are not enough. Using multi-factor authentication and adding biometrics to access accounts or checking who sent an email before clicking a link or opening an attachment takes less than 15 minutes a day.|
|27 percent would give up coffee.||You don’t need to trade caffeine for security, but you do need to be careful not to share sensitive information when using public WiFi spots.|
|7 percent would give up their dream job.||By adopting smart security habits, you keep your employer secure and become a dream employee.|
– Source: Mark Elliott, division president of Mastercard, Southern Africa
Making bill payment less of a hassle
One of the new technologies showcased at Connecting Tomorrow to reduce friction in consumer payments has been introduced to South Africa. South Africans can now buy prepaid utility services or pay their accounts from approximately 600 bill issuers with the new EasyPay mobile app using Masterpass, the global digital payment service from Mastercard.
EasyPay processes 1.3 million monthly account payment transactions for over 40 traffic authorities, 80 municipalities, and 460 bill issuers including insurance and medical service companies. The company has recently aggregated all these billers into a mobile app, enabling people to pay their municipal and electricity bills, traffic fines, television licences, DSTV accounts and a wide range of others. They can also buy prepaid electricity, water and gas.
To use the service, South Africans must download the EasyPay mobile app, register and enter the unique EasyPay number printed on the bill they want to settle. To pay an account or top up, users tap the Masterpass checkout button and enter their bank card’s ATM PIN number to authorise payment. Their account will be updated immediately.
People can load details of their credit, cheque or debit card issued by any South African bank into the in-app digital wallet. Payment card information is captured only once, meaning that consumers do not have the hassle of entering these details every time they want to make a payment. Masterpass also uses multiple layers of security to ensure the user’s personal and payment details are protected.
This article first appeared in City Press.